Talk Talk’s Failed Appeal Shows Signs to Come for Data Protection Breaches

Talk Talk Telecom Group PLC (Talk Talk) is set to pay a penalty of £1,000 for its delay in notifying the Information Commissioner’s Office (ICO) of a personal data breach.  Service providers are given a twenty four hour window in which to notify the authorities of such a breach, as required under the Electronic Communications Regulations 2003.

The telecoms company had received a letter from a customer on 18 November 2015 saying they had been given access to the personal data of another customer in error. Talk Talk did not report this breach to the ICO until 1 December 2015, but argued that it had met its obligation, as the notification had been made within twenty four hours from the conclusion of its internal investigation into the matter.

The First Tier Tribunal General Regulatory Chamber dismissed this, finding that such a delay, in order to conduct an internal investigation, was contrary to the notification requirements of the Commission Regulation (611/2013) on notifications.

This decision should strike a chord with those businesses collecting personal data. The forthcoming General Data Protection Regulation (GDPR), which will come into force on 25 May 2018, requires those controlling data to notify the authorities “without undue delay”.

Companies must also conduct an audit trail detailing any reasons for a delay in notification. Failure to notify the relevant authorities correctly, under the GDPR, will incur far greater monetary penalties than under current data protection laws.

For further information, please see recent press coverage.